The effect of data breaches on company performance
Pages | 275-301 |
DOI | https://doi.org/10.1108/IJAIM-01-2019-0006 |
Published date | 27 March 2020 |
Date | 27 March 2020 |
Author | Ahmad H. Juma'h,Yazan Alnsour |
Subject Matter | Accounting methods/systems,Accounting & Finance,Accounting/accountancy |
The effect of data breaches on
company performance
Ahmad H. Juma’h
Department of Accountancy, University of Illinois, Springfield, Illinois, USA, and
Yazan Alnsour
Department of Computer Information Systems,
University of Northern Colorado, Greeley, Colorado, USA
Abstract
Purpose –This paper aims to analyzethe effect of data breaches –whose concerns and implicationscan be
legal, socialand economic –on companies’overall performance.
Design/methodology/approach –Information on data breaches was collected from online
compilations,and financial data on breached companies was collectedfrom the Mergent Online database. The
financial variables used were related to profitability, liquidity, solvency and company size to analyze the
financial performance of thebreached companies before and after the data breach event. Nonfinancial data,
such as the type and the size of the breaches, was also collected. The data was analyzed using multiple
regression.
Findings –The results confirmthat nonmandatory information related to announcements of databreaches
is a signal of companies’overallperformance, as measured by profitability ratios, returnon assets and return
on equity. The study does not confirm a relationshipbetween data breaches and stock market reactionwhen
measuringquarterly changes in share prices.
Research limitations/implications –The main limitation of the study relates to ratio and trend
analyses. Such analysesare commonly used when researching accountinginformation. However, they do not
directly reflect the companies’conditionsand realities, and they rely on companies’releasedfinancial reports.
Another limitation concerns the confounding factors. The major confounding factors around the data
breaches’dates were identified;however, this was not enough to assure that other factorswere not affecting
the companies’financialperformance. Because of the nature of such events, this studyneeds to be replicated
to include specific information about the companies using case studies. Therefore, the authors recommend
replicating the research to validate the article’sfindings when each industry makes more announcements
available.
Practical implications –To remediate the risks and losses associated with data breaches, companies
may use their reservedfunds.
Social implications –Company data breach announcements signal internal deficiencies. Therefore, the
affectedcompanies become liable to their employees, customersand investors.
Originality/value –The paper contributesto both theory and practice in the areas of accounting finance,
and informationmanagement.
Keywords Financial performance, Data breaches, Nonfinancial factors,
Number of breached records
Paper type Research paper
Declaration of interest: The authors report no conflicts of interest. The authors alone are responsible
for the content and writing of this paper.
Data breaches
275
Received19 January 2019
Revised20 April 2019
27June 2019
Accepted5 August 2019
InternationalJournal of
Accounting& Information
Management
Vol.28 No. 2, 2020
pp. 275-301
© Emerald Publishing Limited
1834-7649
DOI 10.1108/IJAIM-01-2019-0006
The current issue and full text archive of this journal is available on Emerald Insight at:
https://www.emerald.com/insight/1834-7649.htm
1. Introduction
Accelerated progress in communication, networks and information technologies is shaping
global business, and it is estimated to continue changing business structures for the
foreseeable future. This development has many advantages and disadvantages for all
organizations’stakeholders. Information systems management is increasingly considering
information security and privacy due to their potential critical issues for all company
activities. The magnitudeof the importance of breached data was described in the California
Data Breach Report 2012-2015(Harris, 2016) as follows:
In the past four years, the Attorney General has received reports on 657 data breaches,
affecting a total of over 49 million recordsof Californians. In 2012, there were 131 breaches,
involving 2.6 million records of Californians; in 2015, 178 breaches put over 24 million
records at risk. This means that nearly three in five Californians were victims of a data
breach in 2015 alone (p. 8).
Multinational companies rely heavily on technology and always have some technical
vulnerabilities, which means data breaches and losses are inevitable. Data is one of the
company’s most important assets,and the threat of losing data control is becoming an issue
that affects everyone. No matter whether companies establish guidelines and controls to
mitigate the risk of data breaches, hacking and phishing threats still exist. Information
security and privacy is a determining factor for companies’continuity and sustainability.
Companies are adopting several protection techniques such as system authentication, data
encryption, user access control and firewalls as wellas practices that aim to minimize such
risks such as employee training and userorientation to the company’s information security
policy and protocols. Despite these measures, perpetrators are becoming more organized
and sophisticated,and the risk is growing.
There are many recent examples of companies that have suffered from major data
breaches –Equifax, Anthem, eBay, JPMorgan Chase, Home Depot, Yahoo and Target,
among others. Assessing the economic effects of data breaches is a challenge for both
accounting and information security management (Schatz and Bashroush, 2016). Research
concerning the implications of data breaches is considered an emerging area (Ghosh and
Swaminatha, 2001;Spanos and Angelis,2015, 2016). Event studies have mostly shown that
data breaches have a negative effect on cumulative abnormal returns of publicly traded
companies. However, these same studies have shown mixed results concerning the
significance of the relationship between data breaches and company value/share. Event
studies using daily share prices investigate the immediate effect of a breach. Over a longer
timeframe, Kannan et al. (2007) found no significant negative effect of information security
breaches on company value. In descriptiveand comparative studies, Ko and Dorantes (2006)
found that sales increased significantly for the breached firms in the fourth quarter after a
security breach, contradicting the negative effects shown in most event studies performed
using daily share prices.
Stoel and Muhanna (2011) found that companies with information technology (IT)
weaknesses performed worse than firms with no weaknesses. Data breaches indicate
deficiencies in internal controls –particularly IT internal controls. Companies that are
continually improving theirIT controls to avoid cyber-incidents can reduce the risk of data
breaches. However, hackers’ability to penetrate larger companies’records,such as those of
Apple, Walmart and Equifax, indicates that hackers are becoming threats even to
companies that invest heavily in IT. Brody et al. (2018) indicatethat the potentially harmful
effects of malware, whichcan be financial and nonfinancial,are often not well known.
To contribute to the existing literature, the goal of this article is to analyze the
intermediate (quarterly) term effect of data breaches on companies’performance by
IJAIM
28,2
276
To continue reading
Request your trial